Mobile apps are emerging as a major threat to enterprise security, and the threat is growing by the day.
Worries about mobile security are not new. For years, we have heard about the spread of bring-your-own-device (BYOD) policies and the challenges posed by personal mobile devices on the job.
But only now are the full contours of the mobile security challenge coming into view. At the heart of the problem is mobile apps — there are just too many of them to manage securely.
A Million and a Half Mobile Apps
As Karen A. Frenkel reported at CIO Insight, over 1.5 million apps were available in the Apple App Store as of June 2015, more than 300,000 of which were added in the past year.
The overall marketplace now offers millions of mobile software applications, most of them just a few taps away at major app stores. This level of software output “would have been unthinkable during the PC era,” Frenkel observed.
The software market has been entirely transformed. Just a few years ago, most people lived in a PC-centric information universe, and we dealt with it mainly through a few dozen to at most a few hundred software apps. These were often big, integrated packages such as Microsoft Office. They might have had security flaws, but they were known quantities.
Those days are over. Just a single mobile security provider now must analyze thousands of apps for security holes that attackers might exploit.
Vetting Struggles to Keep Up With Development
Hand in hand with the sheer volume of apps goes the new agile and DevOps culture of application development. Remember when software version releases came out at a stately pace, every six months to two years? Millions of apps could not possibly have been developed that way.
But now even major tools such as Web browsers have a development release cycle measured in weeks. Apps are pieced together and pushed out the door on the fly, barely into the stores before the next release is ready for beta.
This adds up to hundreds of thousands of mobile apps — most of them only sketchily tested for security, if at all — floating around the edges of enterprise networks, loaded onto employees’ personal devices or even living on corporate devices. With more and more enterprise data going mobile, a collision is inevitable.
Indeed, a survey by IDG and Lookout found that 74 percent of respondents reported their organizations had suffered mobile security breaches. Along with insecure Wi-Fi connections, the chief causes of these incidents were apps that had security flaws or contained malware.
Mobile security is drawing more attention and investment, but while the mobile app security challenge may have a simple cause — the sheer volume of apps — it has no simple solution. The apps are out there and employees will use them. Enterprises will have to draw on mobile security strategies, from closer control over data to white-listing apps, to protect themselves from being overwhelmed by the flood of applications.
Read the Ponemon Institute Study on the State of Mobile Application Insecurity